a piece code of a unknow cryptogrphics [Archive] - RCE Messageboard's Regroupment

View Full Version : a piece code of a unknow cryptogrphics

kbug

September 27th, 2005, 03:45

Hi all:
I find a piece code of a unknow cryptogrphics ,and i rewrite it in C, but it look like stupid and may be have wrong ,can any body make it grace?

Code:



005AF69C           55                 push ebp                                      005AF69D           8BEC               mov ebp,esp                                   005AF69F           83C4 F8            add esp,-8                                   005AF6A2           33C0               xor eax,eax

005AF6A4           53                 push ebx

005AF6A5           56                 push esi

005AF6A6           8945 FC            mov dword ptr ss:[ebp-4],eax                  ; [ebp-4] is a local var

005AF6A9           8B55 08            mov edx,dword ptr ss:[ebp+8]                  ; arg 1

005AF6AC           03D2               add edx,edx

005AF6AE           C1E2 02            shl edx,2

005AF6B1           0155 0C            add dword ptr ss:[ebp+C],edx

005AF6B4           8B4D 10            mov ecx,dword ptr ss:[ebp+10]

005AF6B7           8B45 08            mov eax,dword ptr ss:[ebp+8]

005AF6BA           8D1481             lea edx,dword ptr ds:[ecx+eax*4]

005AF6BD           8955 F8            mov dword ptr ss:[ebp-8],edx

005AF6C0           E9 A9000000        jmp Target Name Deleted.005AF76E

005AF6C5           8B4D F8            mov ecx,dword ptr ss:[ebp-8]

005AF6C8           8B19               mov ebx,dword ptr ds:[ecx]

005AF6CA           8BD3               mov edx,ebx

005AF6CC           0FB7C2             movzx eax,dx

005AF6CF           8BC8               mov ecx,eax

005AF6D1           0FAFC8             imul ecx,eax

005AF6D4           C1EB 10            shr ebx,10

005AF6D7           8BC1               mov eax,ecx

005AF6D9           0FB7CB             movzx ecx,bx

005AF6DC           0FB7F3             movzx esi,bx

005AF6DF           0FB7DB             movzx ebx,bx

005AF6E2           0FB7D2             movzx edx,dx

005AF6E5           0FAFDA             imul ebx,edx

005AF6E8           0FAFCE             imul ecx,esi

005AF6EB           8BF3               mov esi,ebx

005AF6ED           8BD0               mov edx,eax

005AF6EF           C1E6 10            shl esi,10

005AF6F2           03C6               add eax,esi

005AF6F4           8BF3               mov esi,ebx

005AF6F6           C1EE 10            shr esi,10

005AF6F9           3BC2               cmp eax,edx

005AF6FB           0F92C2             setb dl

005AF6FE           83E2 01            and edx,1

005AF701           03F2               add esi,edx

005AF703           8BD0               mov edx,eax

005AF705           03CE               add ecx,esi

005AF707           8BF3               mov esi,ebx

005AF709           C1E6 10            shl esi,10

005AF70C           C1EB 10            shr ebx,10

005AF70F           03C6               add eax,esi

005AF711           3BC2               cmp eax,edx

005AF713           0F92C2             setb dl

005AF716           83E2 01            and edx,1

005AF719           03DA               add ebx,edx

005AF71B           8BD0               mov edx,eax

005AF71D           0345 FC            add eax,dword ptr ss:[ebp-4]

005AF720           03CB               add ecx,ebx

005AF722           3BC2               cmp eax,edx

005AF724           0F92C2             setb dl

005AF727           836D 0C 04         sub dword ptr ss:[ebp+C],4

005AF72B           8B5D 0C            mov ebx,dword ptr ss:[ebp+C]

005AF72E           83E2 01            and edx,1

005AF731           03CA               add ecx,edx

005AF733           8BD0               mov edx,eax

005AF735           0303               add eax,dword ptr ds:[ebx]

005AF737           8B5D 0C            mov ebx,dword ptr ss:[ebp+C]

005AF73A           3BC2               cmp eax,edx

005AF73C           8BD1               mov edx,ecx

005AF73E           8903               mov dword ptr ds:[ebx],eax

005AF740           0F92C3             setb bl

005AF743           83E3 01            and ebx,1

005AF746           03CB               add ecx,ebx

005AF748           3BCA               cmp ecx,edx

005AF74A           8BD1               mov edx,ecx

005AF74C           0F92C0             setb al

005AF74F           83E0 01            and eax,1

005AF752           8945 FC            mov dword ptr ss:[ebp-4],eax

005AF755           836D 0C 04         sub dword ptr ss:[ebp+C],4

005AF759           8B45 0C            mov eax,dword ptr ss:[ebp+C]

005AF75C           0308               add ecx,dword ptr ds:[eax]

005AF75E           8B45 0C            mov eax,dword ptr ss:[ebp+C]

005AF761           3BCA               cmp ecx,edx

005AF763           0F92C2             setb dl

005AF766           83E2 01            and edx,1

005AF769           8908               mov dword ptr ds:[eax],ecx

005AF76B           0155 FC            add dword ptr ss:[ebp-4],edx

005AF76E           8345 F8 FC         add dword ptr ss:[ebp-8],-4

005AF772           8B4D 08            mov ecx,dword ptr ss:[ebp+8]

005AF775           8345 08 FF         add dword ptr ss:[ebp+8],-1

005AF779           85C9               test ecx,ecx

005AF77B         ^ 0F85 44FFFFFF      jnz Target Name Deleted.005AF6C5

005AF781           5E                 pop esi

005AF782           5B                 pop ebx

005AF783           59                 pop ecx

005AF784           59                 pop ecx

005AF785           5D                 pop ebp

005AF786           C3                 retn





I written it in C , but when i look on it , i just wanna kill myself



void decrypt2(int len, long *pdest, long *pcryptdat)

{

	ulong key, m1,m2,m3,m4;

	short int al,ah, bl,bh;

	ulong ms;

	pdest = pdest + len * 2;

	pcryptdat = pcryptdat + len;

	pcryptdat--;

	while(len--)

	{

		al = loword(*pcryptdat)

		m1 = al * al;

		m2 = al * ah;

		m3 = ah * ah;

		temp = m1;

		ms = m2 << 16;

		m1 = m1 + ms;

		if(m1 < temp)

		   ms++;

		temp = m1;

		m3 = m3 + ms;

		ms = m2 << 16;

		m2 = m2 >> 16;

		m1 = m1 + ms;

		if(m1 < temp)

		     m2++;

		 temp = m1;

		m1 = m1 + key;

		if (m1 < temp)

		   m3++;

		pdest--;

		temp = m1;

		m1 = m1 + *pdest;

		*pdest = m1;

		if(m1 < temp)

		    m3++;

		pdest--;

		m3 = m3 + *pdest;







		

	}

}

thank you waste time reading this shit

CluelessNoob

September 27th, 2005, 08:42

Quote:

[Originally Posted by kbug]Hi all:
I find a piece code of a unknow cryptogrphics ,and i rewrite it in C, but it look like stupid and may be have wrong ,can any body make it grace?

thank you waste time reading this shit

I can't help much with the crypto, but I can tell you that you run the risk of JMI's wrath for posting code with target identity labels in it.

I strongly suggest you edit your post to remove them.

bilbo

September 27th, 2005, 09:19

Hi, kbug,

the trick in these cases is to follow step-by-step the code in order to understand well - in a live way - what it is doing; that must be done before converting it to C, else the conversion does not add any benefit to the comprehension of the algorithm.

In this case, since I hadn't the EXE at hand, I rewrite your code and compiled it using M$ VC++, without modifying the asm instructions. After having stepped through it and played with it, I added some comments...

As you can check yourself, the subroutine is not so cryptic: it is a 64-bit power by two!

Have fun in this strange world of bits! bilbo

Code:



/* coded by bilbo - 27sep05 */

/* replaced +C with +12, 10 with 16 */



#include <stdio.h>



__declspec(naked) void

decrypt2(int len, unsigned *pout, unsigned *pin)

{

__asm {

	push ebp

	mov ebp,esp

	add esp,-8

	xor eax,eax

	push ebx

	push esi

	mov dword ptr ss:[ebp-4],eax  ; clear prev loop carry



	mov edx,dword ptr ss:[ebp+8]  ; arg 1: number of longs

	add edx,edx

	shl edx,2  ; *= 8

	add dword ptr ss:[ebp+12],edx  ; pout at end: += 2*longs*4

	mov ecx,dword ptr ss:[ebp+16]

	mov eax,dword ptr ss:[ebp+8]

	lea edx,dword ptr ds:[ecx+eax*4]  ; pin at end: += longs*4

	mov dword ptr ss:[ebp-8],edx

	jmp loop_check



		; a loop per input long, to calculate two output longs

loop_start:

	mov ecx,dword ptr ss:[ebp-8]  ; pin

	mov ebx,dword ptr ds:[ecx]  ; get one long from in

	mov edx,ebx

	movzx eax,dx

	mov ecx,eax

	imul ecx,eax  ; low * low = ll

	shr ebx,16

	mov eax,ecx



	movzx ecx,bx

	movzx esi,bx

	movzx ebx,bx

	movzx edx,dx

	imul ebx,edx  ; high * low = hl

	imul ecx,esi  ; high * high = hh

	mov esi,ebx

	mov edx,eax

	shl esi,16  ; hl<<16

	add eax,esi  ; low_long_tot = ll+(hl<<16)

	mov esi,ebx

	shr esi,16  ; hl>>16



		; carry correction stuff

	cmp eax,edx

	setb dl

	and edx,1  ; 0 or 1

	add esi,edx



	mov edx,eax

	add ecx,esi  ; high_long_tot = hh+(hl>>16)



	mov esi,ebx

	shl esi,16  ; hl<<16

	shr ebx,16  ; hl>>16

	add eax,esi  ; low_long_tot = ll+(hl<<16)+(hl<<16)



		; carry correction stuff

	cmp eax,edx

	setb dl

	and edx,1  ; 0 or 1

	add ebx,edx



		; add prev loop carry (always null!)

	mov edx,eax

	add eax,dword ptr ss:[ebp-4]



	add ecx,ebx  ; high_long_tot = hh+(hl>>16)+(hl>>16)



		; carry correction stuff

	cmp eax,edx

	setb dl

	sub dword ptr ss:[ebp+12],4  ; updated pout

	mov ebx,dword ptr ss:[ebp+12]  ; updated pout

	and edx,1  ; 0 or 1

	add ecx,edx



		; low_long_tot += low_prev_value

	mov edx,eax

	add eax,dword ptr ds:[ebx]



	mov ebx,dword ptr ss:[ebp+12]  ; pout

	cmp eax,edx

	mov edx,ecx

		; stuff-in low_long result

	mov dword ptr ds:[ebx],eax



		; carry correction stuff

	setb bl

	and ebx,1  ; 0 or 1

	add ecx,ebx



		; carry correction stuff

	cmp ecx,edx

	mov edx,ecx

	setb al

	and eax,1  ; 0 or 1

		; migrate carry to next loop

	mov dword ptr ss:[ebp-4],eax



		; update pout

	sub dword ptr ss:[ebp+12],4

	mov eax,dword ptr ss:[ebp+12]



		; high_long_tot += high_prev_value

	add ecx,dword ptr ds:[eax]

	mov eax,dword ptr ss:[ebp+12]  ; pout



		; carry correction stuff

	cmp ecx,edx

	setb dl

	and edx,1

		; stuff-in high_long result

	mov dword ptr ds:[eax],ecx

		; migrate carry to next loop

	add dword ptr ss:[ebp-4],edx  ; update cy



loop_check:

	add dword ptr ss:[ebp-8],-4  ; bump back pin

	mov ecx,dword ptr ss:[ebp+8]  ; number of longs

	add dword ptr ss:[ebp+8],-1  ; dec number of longs

	test ecx,ecx

	jnz loop_start  ; continue



	pop esi

	pop ebx

	pop ecx

	pop ecx

	pop ebp

	retn

	}

}



	/*

	 * let's see a sample with two longs in input: it will give 4 longs

	 * in output

	 */

#define LONGS 2

void

main(void)

{

		// the new values will be added to the old ones! so clear them

	unsigned out[2*LONGS] = { 0 };

	unsigned in[LONGS] = { 0x12345678, 0x87654321 };  // for example...

	int i;

	unsigned hi, lo;



	decrypt2(LONGS, out, in);

	printf("result: %08x %08x %08x %08x\n\n",

		out[0], out[1], out[2], out[3]);



		// note that we here invert the loop direction without problems

		// (neither if both inputs longs are 0xFFFFFFFF)

	printf("power-of-two alternate method: ";

	for (i=0; i<LONGS; i++) {

		hi = in[I];  // could'n avoid this extra step

		__asm mov eax, hi;

		__asm mul eax;

		__asm mov hi, edx;

		__asm mov lo, eax;

		printf("%08x %08x ", hi, lo);

		}

	printf("\n";

}

kbug

September 27th, 2005, 12:27

Quote:

[Originally Posted by CluelessNoob]I can't help much with the crypto, but I can tell you that you run the risk of JMI's wrath for posting code with target identity labels in it.

I strongly suggest you edit your post to remove them.

Hi CluelessNoob:
Any way , I thanks for you mention.
before i post , i already reading FAQ, i thought it didn't tell me code target is not permit, may be i ignore it ,can you tell me clearly?
and

Hi JMI:
if the code target is really not permited, i am very sorry ,and i will edit the post, i just think use the code target , the code piece look like clearly
kbug

JMI

September 27th, 2005, 15:27

kbug:

Obviously you did NOT read the FAQ or, at least, read it very carefully because it CLEARLY states, near the top:

DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET: this means do not post code that shows where and how to patch/keygen blah blah blah on a specific target. Keep your code snippets as generic as possible while explaining your problem.

Generally, there is NO REASON to identify the target in your code snippets and if members want to take a look at the target THIS INFORMATION CAN BE EXCHANGED BY PM.

Regards,

Silver

September 28th, 2005, 06:56

I caught the original post before you edited it, but didn't have time to reply yesterday. What you're trying to do seems to be related to cheat-coding or resource editing in the game. You may want to look at the existing game hackers out there (such as Xantax Commander/MultiEx Commander) which may already do what you want - it may be easier to reverse what they do than to reverse what the app does.

kbug

September 28th, 2005, 09:26

JMI:
About the code target , the keystone is do not post code that shows where and how to patch/keygen,is it?
My English is poor , so i Can't understand the rule clearly, but i think it can't be the reason of break the rule, please pardon
kbug

kbug

September 28th, 2005, 10:32

bilbo:
You are Great! How can you do it so easy? i spend hour and hour on this small routine ,but the result above just stupid, thank you!
and this piece of code for sure is part of a decrypt algorith, the whole algorith input 0x80byte data ,and the result is an ascii user name, it do many many times calculate like above code.
bilbo, i am glad to enter the wolrd of bit, i enjoy it ,but you know how hard it is ,
could you introduce some good book or tutorial about asm code analysis to me ? thanks
kbug

JMI

September 28th, 2005, 12:01

kbug:

The purpose of the Rule is to keep software manufacturer's from complaining to our service provider about what is posted here. The Rule is intended to keep you and other users for actually identifying the target software, except by PM. Generally, there is NO NEED to identify the target to discuss reversing issues. You can ask questions about a code section WITHOUT HAVING ANY IDENTIFICATION OF THE TARGET software listed in the display. That is generally what we require and it is a Rule you will follow.

Regards,

bilbo

September 29th, 2005, 04:28

Quote:

[Originally Posted by kbug]could you introduce some good book or tutorial about asm code analysis to me?

sorry, kbug, I cannot help you because I never found such a book. My best friends are the Intel ASM manuals, three or four debuggers (very important to single-step as I told you before), one disassembler, a text editor (to avoid to have tons of paper with my comments near the computer) and a lot of patience.
Ahah, and don't be so determined to crack games! You could lose interest for the bits! I would prefer crackme's and related tutorials!

Quote:

[Originally Posted by JMI]The purpose of the Rule is to keep software manufacturer's from complaining to our service provider about what is posted here

That's great, obviously, even if, for me, is rather a matter of professional ethics than of legality. By the way, I sometimes wonder why we can freely talk about Flexlm or Armadillo... dELTA's explanation is not so persuasive!

Best regards, bilbo

naides

September 29th, 2005, 08:09

Quote:

[Originally Posted by bilbo]. . . By the way, I sometimes wonder why we can freely talk about Flexlm or Armadillo... dELTA's explanation is not so persuasive!

Best regards, bilbo

If I may eavesdrop. . .

I doubt protectors would like to see this board closed, for several reasons.
Nico, and in his time Alex Solodovnikov plus undoubtly many other open and undercover protectors have been in the board, and, while a little cranky, their attitude has been positive, of friendly rivalry
The very reason for their existance and the source of their sales and income are intertwined with the reasons for this board existance

bilbo

September 29th, 2005, 08:43

I know, naides, you are right, I wanted to be just a little provocative.
Anyway I would never spread Armadillo's secrets, because Nico has my address :-)

Regards, bilbo

dELTA

September 29th, 2005, 12:19

Quote:

Quote:
[Originally Posted by JMI]
The purpose of the Rule is to keep software manufacturer's from complaining to our service provider about what is posted here
<snip>... dELTA's explanation is not so persuasive!

Bilbo, couldn't you at least have showed the effort of removing the name of the guy who really wrote what was in that quote, before trying to pin it on me?

0xf001

September 29th, 2005, 12:30

hi all,

i think the faq now looks nicer but there are some important parts that need to bee stressed in where i feel the design fails a bit. i am gonna rework the faq page to make it ultimatively clear and pls noone can then say

"i read the faq but i did not see this rule", or "i read the f*ck but i did not understand it clearly"

hehehehe

i think we need to clearly point out that the faq contains usage _rules_. faq probably sounds too uninteresting for ppl who allready know how a board works and therefore might not really consider reading it. it is a question of behaviour of course. anyway hope that will help!

cheers, 0xf001

JMI

September 29th, 2005, 18:00

And I think we should ALWAYS just blame dELTA...... just on general principles.

Regards,

bilbo

September 30th, 2005, 01:55

sorry dELTA, I was referring to another thread in which you answered to LLXX:

Quote:

[Originally Posted by dELTA]We usually allow names of generic protection schemes, like e.g. SafeDisc. And as long as no target specific code is mentioned from the individual examples of games that was mentioned to have this protection above, it's ok

I would never be so bitter against you as JMI is...
Best regards, bilbo

JMI

September 30th, 2005, 03:02

Whoa. I'm not bitter. dELTA and I just enjoy teasing eachother.

Regards,